0

Possible Duplicate:
“slash before every quote” problem

i have a weird situation where my code works when on the local computer as in localhost but when i publish it on the web server it behaves differently.

i have a list of students with checkboxes along them so that the user can select checkboxes and after clicking on the remove button those are removed from the list meaning i insert them in a different table.

Note: the studentid is with slashes like KNC/2012/sem1/BSC/125

Now my javascript functions makes an ajax request and send the value as parameters to my php file which goes through the array and insert them using a foreach loop.

javascript code:

function flagRemovedStudents(iar){
displayBox = document.getElementById("studentBox");
elements = document.getElementsByName('stids[]');  
data = [];
for (i = 0; i < elements.length; i++){
 if (elements[i].checked){
    data.push('stids[]='+encodeURIComponent(elements[i].value));
 }
 }
 params = "iars="+encodeURIComponent(iar)+"&fl="+encodeURIComponent(1)+"&"+data.join('&');
 alert(params); // just to check what values are being passed to php script
 if (window.XMLHttpRequest)
 {
 xmlhttp=new XMLHttpRequest();
 }
else
 {
 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
 }
xmlhttp.onreadystatechange=function()
 {
if (xmlhttp.readyState==4 && xmlhttp.status==200)
 {
result = xmlhttp.responseText;  
alert(result);
displayBox.className = "dimBox";
setTimeout(function(){showStudentsAfterRemoval(iar);},200); 
}
 }
xmlhttp.open("POST","remst.php",true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send(params);
}

now my php works as:

 $session = $_SESSION['sess'];
 $iarsid = mysql_real_escape_string($_POST['iars']);
 $studentid = $_POST['stids'];
 $num = 0;

 foreach ($studentid as $value ) {
$val = mysql_real_escape_string($value);
$q1 = "insert into removedstudents(sessionid,iarsid,studentid)     values('$session','$iarsid','$value')";
$r1 = mysql_query($q1) or die(mysql_error());
if(mysql_affected_rows() > 0){
$num = $num + 1;
}
  }
echo $num." student(s) have been removed from the responsibility.";

Problem is that on the webserver the studentid is being inserted as KNC\/2012\/sem1\/BSC\/125 which is affecting my further queries.

Surprising part is that it is being inserted in the format i require on the localhost i.e. my development environment but it somehow behaves weirdly when i put the same code on the webserver. Please help.

Community
  • 1
  • 1
coder101
  • 1,601
  • 2
  • 21
  • 41
  • So, the studentid is inserted exactly as the first example you gave? How is this a problem? – mario Jan 13 '13 at 12:51
  • @mario ohh no, this site also escaped my inserted studentid. its like KNC then backwardslash then forward slash then 2012 then again slashes and so on... – coder101 Jan 13 '13 at 12:56

1 Answers1

0

mysql_real_escape_string will do this by design (see the docs).

In this particular case, you may be better off validating the format of the ID in php using a regex, then not escaping it in the database. Obviously you need to be really careful not to open a security hole by doing this.

mysql_* functions are also deprecated now, so you should also consider using mysqli_* instead.

Rhumborl
  • 16,349
  • 4
  • 39
  • 45
  • thanks but @mario above suggested it to be a problem of magic quotes and so i used the code `if(get_magic_quotes_gpc()) { $your_text = stripslashes($your_text); }` and it worked. – coder101 Jan 13 '13 at 13:23
  • And i am encoding the input through javascript before sending to php, so do u think what i am doing is okay? i think this won't open a security hole of sorts, – coder101 Jan 13 '13 at 13:25
  • mario's suggestion is better, and should be more secure, so go with that. But whatever you are doing with the value in javascript is irrelevant, because attackers will create their own programs to send requests to your page. So you should really validate the values in the php code anyway. The basic rule of secure coding is don't trust any input, even if you think you are the only one calling that code. – Rhumborl Jan 13 '13 at 13:30
  • yes i always sanitise the code at php level and i never trust any input. but in this very case there was some help i needed and stripslashes also i think is one of the good ways of sanitising input before processing. – coder101 Jan 13 '13 at 13:34